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Amended claims follow; 

I . (Currently Amended) A system for identifying a macro virus 
family using a macro virus definitions database, comprising: 

a macro virus definitions database comprising a set of indices and macro 
vims definition data files with each index referencing one or more of the macro 
virus definition data files and each macro virus definition data file defining macro 
virus attributes for known macro viruses that are each comprised of at least one 
macro, the sets of the indices and the macro virus definition data files being 
organized into a hierarchy according to macro virus families based on a type of 
application to which the macro applies; 

a parser parsing a suspect file into tokens comprising one of individual 
string constants and source code text and storing the tokens as suspect strings into 
a hierarchical parse tree; 

a macro virus checker comparing each suspect string to the macro virus 
attributes defined in the one or more macro virus definition data files for each 
macro virus family in the macro virus definitions database and determining each 
macro virus family to which the suspect string belongs from the index for each 
macro virus definition data file at least partially containing the suspect string; 

the macro virus checker parsing the macro virus attributes from one or 
more file objects and analyzing the macro virus definition data files by index for 
each macro virus family; and 

the macro virus checker iteratively retrieving each macro virus definition 
data file using the index for each macro virus family and providing the macro 
virus attributes defined in the retrieved macro virus definition data file^ 

wherein the macro virus defin itions database stores at least one of string 
constants and source cod e text common to each macro virus family in the macro 
virus attributes for the ma cro virus definition data files; and the macro virus 
checker compares each suspect string t o the at least one of string constants and 
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source code text in the one or more macro virus definition data fi les for each 
macro virus family; 

wherein a parameter is utilized for specifying a threshold to m atches of 
commonly shared at least one of string constants and source code text 

2. (Original) A system according to Claim 1, further comprising: 
the macro virus definition data files being indexed into the macro virus 

families categorized by a replication method employed. 

3. (Previously Presented) A system according to Claim 1, wherein the 
suspect string comprises part of the suspect file comprising a plurality of 
individual suspect strings. 

4. (Previously Presented): A system according to Claim 3, further 
comprising: 

the macro virus checker identifying a replication method common to a 
plurality of the individual suspect strings in the suspect file, 

5. (Original) A system according to Claim 4, further comprising; 
the macro virus checker identifying the macro virus family by which the 

common replication method is indexed. 

6. -11. (Cancelled) 
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12. (Original) A system according to Claim 1, further comprising; 
the macro virus checker resetting the index referencing one or more of the 

macro virus definition data files for at least one macro virus family and creating a 
new macro virus definition data file entry comprising an index referencing one or 
more macro virus definition files. 

13. (Original) A system according to Claim 12, further comprising: 
the new macro virus definition data file entry defining the macro virus 

attributes by storing at least one of a string constant and source code text. 

14. (Cancelled) 

1 5. (Previously Presented) A system according to Claim 1 5 further 
comprising; 

the macro virus checker cross referencing at least one of a string constant 
and source code text from the parsed macro file attributes against the macro virus 
attributes defined in the virus definition data files. 

16. (Cancelled) 

1 7. (Currently Amended) A method for identifying a macro virus 
family using a macro virus definitions database, comprising: 

maintaining a macro virus definitions database comprising a set of indices 
and macro virus definition data files with each index referencing one or more of 
the macro virus definition data files and each macro virus definition data file 
defining macro virus attributes for known macro viruses that are each comprised 
of at least one macro; 

organizing the sets of the indices and the macro virus definition data files 
into a hierarchy according to macro virus families based on a type of application 
to which the macro applies; 
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parsing a suspect file into tokens comprising one of individual string 
constants and source code text and storing the tokens as suspect strings into a 
hierarchical parse tree; 

comparing each [the] suspect string to the macro virus attributes defined in 
the one or more macro virus definition data files for each macro viais family in 
the macro virus definitions database; and 

determining each macro virus family to which the suspect string belongs 
from the index for each macro virus definition data file at least partially 
containing the suspect string; 

parsing the macro virus attributes from one or more file objects and 
analyzing the macro virus definition data files by index for each macro virus 
family; and 

iteratively retrieving each macro virus definition data file using the index 
for each macro virus family and providing the macro virus attributes defined in 
the retrieved macro virus definition data file; 

wherein the macro virus definitions database stores at least one of string 
constants and source code text common to each macro virus family in the macro 
virus attributes for the macro virus definition data files; and a comparison is 
performed between each suspect strinp and the at least one of string constants and 
source code text in the one or more macro virus definition data files for each 
macro virus family: 

wherein a parameter is utilized for specifying a threshold to matches of 
commonly shared at least one of string constants and source code text . 

1 8. (Original) A method according to Claim 1 7, further comprising: 
indexing the macro virus definition data files into the macro virus families 

categorized by a replication method employed. 

19. (Previously Presented) A method according to Claim 17, further 
comprising: 
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providing the suspect string as part of the suspect file comprising a 
plurality of individual suspect strings. 

20. (Previously Presented) A method according to Claim 1 9, further 
comprising: 

identifying a replication method common to a plurality of the individual 
suspect strings in the suspect file. 

21 . (Original) A method according to Claim 20, further comprising: 
identifying the macro virus family by which the common replication 

method is indexed, 

22. -27. (Cancelled) 

28 . (Original) A method according to Claim 1 7, further comprising: 
resetting the index referencing one or more of the macro virus definition 

data files for at least one macro virus family; and 

creating a new macro virus definition data file entry comprising an index 

referencing one or more macro virus definition files. 

29. (Original) A method according to Claim 28, further comprising: 
defining the macro virus attributes for the new macro virus definition data 

file entry by storing at least one of a string constant and source code text. 

30. (Cancelled) 

3 1 . (Currently Amended) A method according to Claim 1 7, further 
comprising: 

cross referencing at least one of a string constant and source code text 
from the parsed macro file attributes against the macro virus attributes defined in 
the virus definition data files. 
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32. (Cancelled) 

33. (Currently Amended) A computer-readable storage medium 
holding code for performing the method according to Claims 17, 18, 19, 22, 25 or 
28. 

34. (Currently Amended) A system for identifying a macro virus 
family using a macro virus definitions database, comprising: 

a macro virus definitions database comprising a set of indices and 
associated macro virus definition data files, further comprising: 

one or more of the macro virus definition data files referenced by 
the associated index with each macro virus definition data file defining macro 
virus attributes for known macro viruses that are each comprised of at least one 
macro; 

a hierarchy organized according to a macro family to which each 
of the sets of the indices and the macro virus definition data files belong based on 
a type of application to which the macro applies; 

a parser parsing a suspect file into tokens comprising one of individual 
string constants and source code text and storing the tokens as strings into a 
hierarchical parse tree; 

a macro virus checker comparing one or more strings stored in a suspect 
file to the macro virus attributes defined in the one or more macro virus definition 
data files for each macro virus family in the macro virus definitions database and 
determining the macro virus family to which the suspect file belongs from the 
indices for each of the macro virus definition data files at least partially 
containing the suspect file; 

the macro virus checker parsing macro virus attributes from one or more 
file objects and analyzing the macro virus definition data files by index for each 
macro virus family; and 
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the macro virus checker iteratively retrieving each macro virus definition 
data file using the index for each macro virus family and providing the macro 
virus attributes defined in the retrieved macro virus definition data file; 

wher ein the macro virus definitions database stores at least one of string 
constants and source code text common to each macro vims family in the macro 
virus attributes for the macro viru s definition data files: and the macro virus 
checker compares a .suspect string t o the at least one of string constants and source 
code text in the one or more macr o virus definftion data files for each macro vims 
family: 

wherein a parameter is ut ilized for snecifving a threshold to matches of 
commonly shared at least one of string constants and source code text 

35, (Previously Presented) A system according to Claim 34, further 
comprising: 

each macro virus family defined according to a replication method common to 
each of the macro virus definition data files associated with one such index. 

36. -37. (Cancelled) 

38. (Currently Amended) A system according to Claim [36]34, further 
comprising: 

the macro virus checker designating a minimum length of commonly shared 
string constants. 



39. (Currently Amended) A method for identifying a macro virus family using 
a macro virus definitions database, comprising: 

maintaining a macro virus definitions database comprising a set of indices and 
associated macro virus definition data files, further comprising: 

referencing one or more of the macro virus definition data files by the 
associated index with each macro virus definition data file defining macro virus attributes 
for known macro viruses that are each comprised of at least one macro; 
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organizing the sets of the indices and the macro virus definition data files into a 
hierarchy according to macro virus families based on a type of application to which the 
macro applies; 

parsing a suspect file into tokens comprising one of individual string constants 
and source code text and storing the tokens as strings into a hierarchical parse tree; 

comparing the strings to the macro virus attributes defined in the one or more 
macro virus definition data files for each macro virus family in the macro virus 
definitions database; 

determining the macro virus family to which the suspect file belongs from the 
indices for each of the macro virus definition data files at least partially containing the 
suspect file; 

parsing macro virus attributes from one or more file objects and analyzing the 
macro virus definition data files by index for each macro virus family; and 

iteratively retrieving each macro virus definition data file using the index for each 
macro virus family and providing the macro virus attributes defined in the retrieved 
macro virus definition data file^ 

wherein the macro virus definitio ns database stores at least one of string constants 
and source code text common to each marrn v irus family in the macro vims attributes for 
the macro virus definition data files: and a nn m parison is performed between a snsp ^ 
st ring and the at least one of string consta n ts and source code text in the one or more 
macro virus definition data files for each macro virus familv: 

wherein a parameter is utilized for spe cifying a threshold to matches of commonly 
shared at least one of string constants and source code text. 



40. (Previously Presented) A method according to Claim 39, further 
comprising: 

defining each macro virus family according to a replication method common to 
each of the macro virus definition data files associated with one such index. 

41. -42 (Cancelled) 
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43. (Currently Amended) A method according to Claim [41]3J, further 
comprising; designating a minimum length of commonly shared string constants. 

44. (Currently Amended) A computer-readable storage medium holding code 
for performing the method according to Claims 39, pr.40 t or 41-. 
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